T-Mobile patched a vulnerability on its website last week that could have exposed the personal information — including email addresses, account numbers, and other data — of its 76 million users.
Motherboard reports that the bug, which was first found by Secure7 security researcher Karan Saini, allowed ne’er-do-wells who either knew or guessed a T-Mobile customer’s phone number to access others’ personal data.
According to Saini — who reported the flaw to T-Mobile — the bug was found in the wsg.t-mobile.com API.
He was able to search someone else’s phone number and the API would send back a response containing the other person’s data, including email address, account number, and IMSI — a unique number that identifies subscribers.
“T-Mobile has 76 million customers, and an attacker could have run a script to scrape the data from all 76 million of these customers to create a searchable database with accurate and up-to-date information of all users,” Saini told Motherboard.
If this occurred, it would “effectively be classified as a very critical data breach, making every T-Mobile cell phone owner a victim,” Saini said.
For its part, T-Mobile tells Motherboard that the issue only affected a small number of customers.
A rep said the company investigated the issue and it was “fully resolved in less than 24 hours. There is no indication that it was shared more broadly.”
T-Mobile noted that it appreciated the “responsible reporting of bugs through out Bug Bounty program to protect our customers and encourage researchers to contact” the company.
Saini tells Motherboard that the wireless company thanked him for reporting the flaw and offered a $1,000 reward as part of its bug bounty program.
While T-Mobile noted that the flaw was fixed before customer info was exposed, another hacker claimed that wasn’t the case.
The hacker maintained that hackers had exploited the flaw in order to take over phone numbers by requesting new SIM cards impersonating the legitimate owners.
In response to the claim, a T-Mobile rep reiterated to Motherboard that the original flaw was fixed in 24 hours and there was no evidence of customer accounts being affected as a result of the vulnerability.